S3 Bucket Policies | S3 ACLs | IAM Policies | |
---|---|---|---|
Scope | Applied to an S3 bucket to control bucket access, but can also control specific object permissions | Applied to buckets or to an individual object. Older access control method that’s no longer recommended to use if it can be avoided | Applied to IAM users, groups, and roles across the AWS account |
Syntax | JSON-based policies | XML-based policies written in a specific format | JSON-based policies |
Flexibility | Provide granular control with powerful conditions and fine-grained permissions | Provide basic access control but have fewer options for advanced permissions | Provide centralized access management for various AWS services, not just S3 |
Permissions | Can define access controls for both bucket-level and object-level operations | Can define access controls for individual objects and bucket-level operations, such as READ, WRITE, READ_ACP, WRITE_ACP, and FULL_CONTROL | Can define access controls for various AWS services, including S3, at a fine-grained level |
Principal-Based | Identify the principal (role, user, group, or AWS account) and define their access permissions | Identify the user or group and define their access permissions | Define permissions for IAM users, groups, and roles by attaching policies to them |
IAM Integration | Can reference IAM users, groups, and roles in policies to grant additional permissions or restrict access | Can use canonical user IDs to grant permissions to an AWS account (or even email addresses but they get converted to canonical user IDs), or can use a URI to grant permissions to a predefined group | Create and manage IAM policies separately from S3 bucket policies. IAM policies can be attached to IAM entities for S3 access control |
Examples | Grant read access to all objects in a bucket to a specific IAM role | Grant write access to a specific object to an external AWS account user | Grant full access to an S3 bucket to an IAM group, while restricting delete permissions for specific IAM users |
Or download it:
Responses